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Abstract. We present in this paper a library to compute with Taylor models, a technique 
extending interval arithmetic to reduce decorrelation and to solve differential equations. Nu- 
merical software usually produces only numerical results. Our library can be used to produce 
both results and proofs. As seen during the development of Fermat's last theorem reported 
by Aczel (1996), providing a proof is not sufficient. Our library provides a proof that has 
been thoroughly scrutinized by a trustworthy and tireless assistant. PVS is an automatic proof 
assistant that has been fairly developed and used and that has no internal connection with 
interval arithmetic or Taylor models. We built our library so that PVS validates each result as 
it is produced. As producing and validating a proof, is and will certainly remain a bigger task 
than just producing a numerical result our library will never be a replacement to imperative 
implementations of Taylor models such as Cosy Infinity. Our library should mainly be used to 
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validate small to medium size results that are involved in safety or life critical applications. 
q | Keywords: PVS, program verification, interval arithmetic, Taylor models. 
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5— I ' 1. Introduction 

Taylor models, see for example (Makino and Berz, 2003) and references herein, have recently 
emerged as a nice and convenient way to reduce decorrelation in interval arithmetic (Moore, 
1966; Neumaier, 1990; Jaulin et al, 2001). Taylor models are even more attractive when one 
solves initial value problems ODEs as they provide a validated built-in integration operator. 

Yet, it is now beyond doubt that programs and libraries contain bugs, no matter how precisely 
they have been specified and how thoroughly they have been tested (Rushby and von Henke, 
1991; Ross, 2005). As a consequence, the highest Common Criteria Evaluation Assurance Level, 
EAL 7 , has only been awarded so far to products that provide validation using a formal tool, 
specifically an automatic proof checker in first or higher order logic. 

We present here our library of Taylor models in PVS (Owre et al., 1992). Working with an 
automatic proof checker, we had to manage two tasks. The first task was to create a data type 

* This material is based on work supported by the Mathlogaps (Mathematical Logic and Applications) project, 
an Early Stage Research Training grant of the European Union. 

5 This work has been partially supported by PICS 2533 from the French National Center for Scientific Research 
(CNRS). 

1 http: //niap .nist . gov/ cc- scheme/. 
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and operations on this new type to allow users to define and evaluate expressions using Taylor 
models. The second task was to provide proofs that each operator is correct and a strategy to 
recursively analyze compound expressions. Both tasks rely on the recently published library on 
interval arithmetic for PVS (Daumas et ai, 2005). As many mathematical developments are 
not yet available in PVS, we also had to develop an extended library on polynomials and prove 
a few theorems of analysis and algebra. 

Our library on Taylor models can be used to derive quickly more or less accurate bounds. 
For example, users of formal tools have to provide proofs that radicals are non negative for 
all expressions using square roots. Some proofs use intricate analysis but most of them arc 
very simple and interval arithmetic or low degree evaluations with Taylor models can produce 
appropriate proofs. Our library can also be used to expertly derive computer validated proofs 
of difficult results through an expert use of Taylor models. 

The library will be available freely on the Internet as soon as it is stable. Side developments 
are integrated as they are produced to NASA Langley PVS libraries 2 . Meanwhile, all files can 
be retrieved from the author's website. 

http : //perso . ens-lyon. f r/f rancisco . jose . chaves . alonso/pvs-f iles/ 
1.1. Working with an automatic proof checker 

Software is used extensively for a wide array of tasks. Some pieces of software should never fail. 
The ones used by transportation means (planes, buses, cars...), for medical care (controlling 
pumps, monitors, prescriptions. . . ) or in the army (parts of weapons, alarms. . . ) belong to 
the fast lengthening list of life or safety critical applications. A mindless modification of one 
parameter reportedly caused human losses in the Instituto Oncologico Nacional on Panama 
where eight people died and twenty others were hurt (Gage and McCormick, 2004). Many lethal 
and costly failures (Information Management and Technology Division, 1992; Lions and others, 
1996) show beyond reasonable doubts that traditional software verification is not sufficient to 
guarantee correct behavior. 

PVS 3 (Prototype Verification System) by Owre et al. (1992; 2001a; 2001b) is one environment 
for the development and analysis of formal specifications that allows the elaboration of theories 
and proofs. The system deals with theories where users develop definitions, axioms and theorems. 
To verify that theorems are correct, PVS uses a typed higher order logic language where new 
types are defined from a list of basic types including booleans, natural numbers, integers. . . The 
type system allows the definition of functions, registers, tuples and abstract data types. 

PVS uses predicate subtypes, subtypes where all objects satisfy a given predicate. For example 
{x : real|x ^ 0} is the set of non-zero reals. Subtype predicates are used for operations that 
aren't defined for all possible inputs. This restriction is therefore visible in the signature of the 
operation. For example the division is an operation of real numbers such that the type of the 
denominator is a real number different from zero. As a result, all functions of PVS are total in 
the sense that the domain and the signature must exclude explicitly any input where a function 
could not be defined. 

As predicates used by the system to define types are arbitrary, type verification is undecidable 
and it usually generates proofs obligations named type correctness conditions (TCCs). Users 
have to provide proofs of generated TCCs with the help of PVS. 

In PVS the A operator defines anonymous functions. Expression Xx.e is a function that has 
parameter x and returns expression e. For example, the function that returns for any value 
of its single parameter could be defined as Ax.O and identity function that returns the same 
element that is given as parameter is Xx.x. Function A k : nat . if k = then 1 else is 
the sequence that for input 0, returns 1, and returns for any other input. 

2 http: //shemesh. larc .nasa. go v/fm/f tp/larc/PVS-library/pvslib. html. 

3 http://pvs.csl.sri.com/. 



Nowadays, systems such as PVS are fully able to certify that programs are corrects (Ross, 
2005) but programmers scarcely use them. Providing a formal proof of correct behavior is a 
difficult task, it requires a specific training and user interfaces of proof assistants are of little 
help for all the work that is not done automatically. Hope is that as more and more work is done 
automatically, users will need only limited interactions with automatic proof checkers down to 
the point where no interaction is required at all. This trend was recently coined as invisible 
formal methods (Tiwari et ai, 2003). 

1.2. A FEW WORDS ABOUT INTERVAL ARITHMETIC 

In interval arithmetic scalar variables x are replaced by pairs (a, b) with the semantic that x 
lies in the interval [a, b]. Later on, we compute bounds rather than values. We use operators 
commonly found in programming languages such as addition, subtraction, multiplication and 
so on (Jaulin et ai, 2001). 

[a, b} + [a', b>] = [a + a',b + b'} 

[a,b] - [a',b'} = [a -b', b -a'} 

c • [a,b] = [c ■ a, c • b] c > 

[a, b] ■ [a', b'} = [min{aa', ab', ba', bb'}, maxjaa', ab', ba', bb'}] 

Working with automatic proof checkers, we convert operations into properties (Daumas et 
ai, 2005). 

!x + y G [a,b] + [a',b'] 
X ~l I t[i~b} [a ' ,b ' ] 
x-y G [a,b] ■ [a',b'] 

Decorrelation is a problem intrinsic to interval arithmetic. There is decorrelation on interval 
evaluation of any expression where one or more variables appear more than once. For example, 
the most simple scalar expression 

x — x 

where x G [0, 1], is replaced in interval arithmetic by 

[0, 1]- [0,1] = [-1,1]. 

Everyone agrees that x — x lies in the interval [0, 0] but interval arithmetic produces the 
correct but very poor [—1,1] interval. Decorrelation and other problems lead interval arithmetic 
to overestimate the domain of results. Techniques are used intensively to produce constrained 
results. 

One of such techniques is based on Taylor's theorem with Lagrange remainder where / is n 
times continuously derivable between xo and x, f is n + 1 times derivable strictly between xo 
and x and < 9 < 1. 

f{x) = f(xo) + (x-xo)f'(x )+ i -^^f"(x ) 
+ ••• + I ^/ {n) (xo) 
+ { -^^& +1 \x + (x-x Q )9) 

Adapting Taylor's theorem to interval arithmetic, we obtain the formula below (Daumas et ai, 
2005) for x and xo in /. 

/(*) G f(xo) + (I-x )f'(x )+ { -^f"(x ) 
+ ••• + LL ^f^(xo) 



Using Taylor's theorem was appropriate in (Daumas et al, 2005) but it has many drawbacks: 

— It is difficult to hide the use of Taylor's theorem in order to provide invisible formal methods. 
This is due to the large number of quantities involved in instantiating the theorem in its 
generic form. Progress has been achieved by Muhoz after the publication of Daumas et al.. 

— To use Taylor's theorem, one has to express the derivatives of function /. 

— For large expressions, / alone might be too large to be expressed in PVS. 

Taylor models presented in the rest of this text overcome all the previous drawbacks to the 
price of a less accurate approximation. We have developed a set operations for PVS that includes 
addition, negation, scalar multiplication, multiplication, reciprocal and exponential. We present 
our developments in PVS, first quickly on polynomial functions and then on Taylor models. We 
finish with concluding remarks and a few toy examples. 



2. Implementing polynomials in PVS 

For the implementation of polynomials we considered a finite list of monomial functions, a finite 
sequence of coefficients and an infinite power series with finite support. Finite lists or sequences 
usually imply the construction of a new inductive type d la Coq 4 (Bertot and Casteran, 2004). 
We implemented polynomials as power series with finite support. This scheme is appropriate 
for a proof system like PVS and is compatible with NASA series libraries 5 . 

Working with sequences of coefficients rather than monomial functions means that we need 
the powerseries function to evaluate polynomial P on input x. It also means that some 
theorems can be established on finite support series rather than polynomial functions. 

2.1. Finite support series 

Our implementation of polynomials is outlined in Figure 1. It mostly describes mathematical 
objects (definition, function, theorems...) with common words except for the notions introduced 
in Section 1.1 

We define predicate f inite_support (a,N) just after the preamble. Addition of sequences 
was already defined and is imported from previous work in the preamble. We had to define a 
product operator and a composition operator. The first operator applies to generic series. The 
second operator requires that the first sequences a returns zero for indices above input d. 

In the second half of Figure 1 we proved that negation, addition, multiplication by a scalar, 
multiplication and composition return finite support series provided (both) inputs are finite 
support series. We also proved that Cauchy's product is meaningful for finite support series. 
The meaning of composition can only be assessed in regard to polynomial functions. 

2.2. Polynomial 

As we have mentioned earlier, we use polynomial (a, n) function to create a power series from 
finite support sequence a based on powerseries (a) (x) (N) function implemented in previous 
work. Extended results on polynomial functions are presented in Figure 2 based on NASA 
libraries. 

n 

polynomial(a, n)(x) = ^ a& • x k 

4 See for example http://www.lfcia.org/staff/freire/phd-gilberto/gilberto_phd_html/. 

5 http://shemesh.larc.nasa.gov/fm/ftp/larc/PVS-library/pvslib.html. 



finite_support : THEORY 
BEGIN 



importing series@series , realsOsqrt, series@power .series 

a, b, c: VAR sequence [real] 

N, M, L, n, m, I, i, j : var nat 

x: var real 

nnite_support(a : sequence [real] , TV: nat): boolean = 
V (n: nat): n > N a(n) = 

cauchy(a, b: sequence [real] ) (n : nat): real = 
S(0, n, 

A (k : nat) : 
if n > k 

then a(k) x b(n - k) 

ELSE 

endif) 

comp(o, b: sequence [real] , d: nat): recursive sequence [real] = 
if d = 

THEN (An: IF n = THEN a(0) ELSE endif) 
else let c = (An: if n = d then else a(n) endif) in 
a(d) x pow(6, d) + comp(c, b, d — 1) 

ENDIF 

measure d 



neg_fs : LEMMA 

finitej3upport(a, N) finite_support(— a, N) 
adcLfs: lemma 

nnite^support(a, N) A finite_support(6, M) A L > max(iV, M) 
finitc_support(a + 6, L) 
scaLfs : lemma 

finite_support(a, N) nnite_support(x x a, AT) 
nnite_support_mult : LEMMA 

finite^upport(a, iV) A finite_support(6, M) =4> 
finite_support(cauchy(a, b) , N + M) 
finite_support_cauchy : LEMMA 

nnitej3upport(a, TV) A finite_support(6, M) =>■ 
series(a)(iV) x series(6)(M) = 
series(cauchy(a, b))(N + M) 
finite_support_comp : LEMMA 

finite^3upport(a, N) A finite_support(6, M) =4> 
finite_support(comp(a, b, N) , N x M) 

end finite_support 



Figure 1. Abridged and reordered theory on finite support series (see file f inite_support .pvs) 



polynomials_ext : THEORY 
BEGIN 

IMPORTING finitejsupport , trig jhd@polynomial_deriv 

a, b, d: var sequence [real] 
n, N, M, L: var nat 
c: var real 
x, y: var real 

fs_powerseq : LEMMA 

nnite^upport(a, TV) =>■ fmite_support(powerseq(a, x) , N) 

fs_condition : LEMMA 
nnite^upport(a, N) 
(V (i: posnat): a(N + i) = 0) 

scaLpolynomiall : lemma 

x x polynomial(a, N) = polynomial^ x a, N) 

powerseries-polynomial : LEMMA 

polynomial(a, n)(x) = powerseries(a)(x)(n) 

polynomiaLzero : lemma 

polynomial((A (n: nat): 0), N){x) = 

muLpolynomial : LEMMA 

nnite^3upport(a, TV) A finite_support(6, M) =$>■ 
polynomial (a, N)(x) x polynomial^, M){x) = 
polynomial(cauchy(a, b) , N + M)(x) 

pow_polynomial : LEMMA 
finite^support(a, N) 
polynomial(a , N){x) "a n = 
polynomial(pow(a, n) , n x N)(x) 

comp_polynomial : LEMMA 

finite^3upport(a, N) A finite_support(6, M) 
polynomial(a , iV) (polynomial^ , M)(x)) = 
polynomial(comp(a, b, N) , N x M)(x); 

geom_polynomial : LEMMA 

(1 - x) x S(0, N, A (i : nat) : x " a i) = 
l-x "a (N+l) 

end polynomials_ext 



Figure 2. Abridged extensions to the theory on polynomial (see file polynomials_ext .pvs) 



We proved in this file that Cauchy's multiplication applies to finite support series as well 
as polynomial functions. We also proved that the series obtained from composing two finite 
support series as denned in Section 2.1 defines the same polynomial function as the one that 
would be obtained by composing the polynomial functions associated to the two initial series. 

Technical results are also presented in this file to provide more insights to our development. 



3. Taylor models 

Taylor models (Makino and Berz, 2003) are pairs t = (P, I) where P are polynomial functions of 
fixed degree N and / are intervals. N is a constant that cannot be changed during the evaluation 
of expressions. In PVS, pairs are defined using components between (# and #). Components 
can be addressed independently using quotes ' , that are t'P and t'l. 

Taylor model t is a correct representation of function / if it satisfies the containment 
predicate stated Figure 3, 

G J f(x) - t'P{x) € t'l 

where J is usually [—1,1]. 

Our first task was to define operations on Taylor models. Addition, negation and multiplica- 
tion by a scalar are straight forward and can be read directly from Figure 3. Naive multiplication 
of Taylor models creates polynomials of degree 27V. The high order terms of the polynomials 
must be truncated and are accounted for in the interval part. 

The inv reciprocal operator uses the following equality where r £ I, p(0) / and p(x) has 
the same sign as p(0). 

1 _ 1 p(x) 1 



p{x)+r p{0) p{x)+r 



We define q(x) = 1 — and we expand the last fraction of (1) using the geometrical series 

J2iLo 1 % truncated to keep only a polynomial of degree N. 

Decorrelation forbids to evaluate the penultimate fraction of (1) directly and we defined a 
new operator based on the lower bound and the upper bound of I /p( J) that returns directly 



lb'(I/ P (J)) 1 WJTJpJJJj 

This operator cannot be replaced by a direct implementation of 

1 1 

or 



1+P(J)/I 1 + 



because / usually contains preventing anyone to use it as a divisor. 

We also implemented the exponential of Taylor models using the following equality where 
r € I and e x is a rational approximation of e x . 



e p(x)+r _ £p(0) _ e p(x)-p(0) . 



gP(0) 



eP(o) 

The polynomial part of the result is obtained by developing and truncating the exponential 
series composed with p{x) —p(0). The interval part is set accordingly to account for all discarded 
quantities. 

The five _sharp lemmas of the second part of Figure 3, show that the containment predicate 
is preserved by our operators. It means that we can deduce properties from evaluations of 
expressions using Taylor models. 



taylor_model [N : nat, (importing interval@interval) domlnterval : Interval]: theory 
begin 

tm: TYPE = [#P: fs_type, I: Interval#] 

tm_equal : axiom 
t = u = 

polynomial^ ' P , N) = polynomial^' P, N) A t' I = u'l; 

t + u: tm: tm = (#P := t l P + u l P, I := t l I + u l I#); 
-t: tm = (#P := -t'P, I := -t'I#); 
cxt: tm = (#P := cxt l P, I := [c] xt'/#) 

tx«: tm = (#P := trunc(cauchy(i 'P, m'P), iV), I := ... #) 
inv(t: {t: tm | same condition as below tm_inv_sharp }) : 
tm = (#P :=..., I : = ... #) 

containment(/ : [domlntervalType — ► real], i: tm) : bool = 
V xu: (/(xu) - polynomial(t'P, A f )(xu)) ## i'l 

tm_add_sharp : LEMMA 

containment(/ , t) A containment ((/, u) containment(/ + g, t + u) 
tm_scal_sharp : LEMMA 

containment(/, t) => containment(x X /, x x t) 
tm_neg_sharp : LEMMA 

containment(/, t) => containment(— /, — t) 
tm_mult_sharp : LEMMA 

containment(/ , t) A containment (g , u) =>■ containment(/ x g, t x u) 
tm_inv_sharp : LEMMA 

V (/ : [domlntervalType — > nzreal] , 
i: {i: tm I 

t'P(O) /OA 
(t'//intervalFromRealSeq(t'P, TV)) 'lb / A 
(tP/intervalPromRealSeq(t'P, JV))'ub / A 
(i'//intervalFromRealSeq(fP, N)) > -1}): 

(V xu: 

polynomial^' P, iV)(xu) /OA 
(/(xu) - polynomial(t'P, iV)(xu))/polynomial(i'P, iV)(xu) 

+ 1 

A 

polynomial(A (i: nat): 

IF i = THEN ELSE -t l P(i) /t l P(0) ENDIF , 

N) 
(xu) 

+ 1) 

A Zeroless?([i'P(0)]) A Zeroless?( ... ) 

A Zeroless?(intervalFromRealSeq(t 'P, TV)) A containment (/ , t) 
containment ( 1 // , inv(t)) 

end taylor_model 



Figure 3. Abridged and reordered theory on Taylor models (see file taylor_model .pvs) 



example : theory 

BEGIN 




IMPORTING tm_exp[5, 5, (#lb := -1, ub : = 


1#)] 


ch(x : tm) : tm = 

(1/2) x (exp(x) + exp(— x)) 




sh(x: tm) : tm = 

(1/2) x (exp(x) H — exp(-x)) 




seq_px: fs_type = 

A (n: nat): IF n = 1 then 1/1000 else 


ENDIF 


tm_x: tm = (#P := seq.px, / := [0]#) 




examplel : tm = ch(2 x tm_x) x sh(3 x tm_x) 




end example 





Figure 4- A toy example of Taylor models (see file example .pvs) 



In addition to prove mathematical theories, PVS provides a ground evaluator. It is an ex- 
perimental feature of PVS that enables the animation of functional specifications. To evaluate 
them, the ground evaluator extracts Common Lisp code and then evaluates the code generated 
on PVS underlying Common Lisp machine. 

Uninterpreted PVS functions can be written in Common Lisp. PVS only trusts Lisp codes 
generated automatically from PVS functional specifications, then one can not introduce incon- 
sistencies in PVS. However, codes are not type-checked by PVS and can break inadvertently. 

PVSio 6 is a PVS package developed by Muhoz that extends the ground evaluator with a 
predefined library including imperative programming language features. PVSio loads in emacs 
interface using M-x load-prelude-library PVSio and then executes with M-x pvsio. 

4. Toy example, concluding remarks and future work 

Figure 4 show how easily we can define expressions. PVSio is used to evaluate Taylor model 
expressions and Figure 5 shows the polynomial and interval parts of the Taylor model of degree 
5 of 

, / x \ , ( x \ x 21 / x \ 3 521 / x \ 5 

c H 2 'i^J" s H 3 'i^J =3 '™ + t-( v imJ + ir Uooq-J +r 

with 

r G 5150892483 • 10" 28 • [-1,1] 

Coefficients are obtained from expressions examplel 'P(O) , P(l) down to P(5). The interval 
part is examplel 'I. 

To conclude, we would like to say that they have three goals in presenting this report: 

— Present an accurate report of the work involved including the training of a 
PhD student to PVS. Though this development is significant, PVS validated projects 
can be achieved in a reasonable time-frame provided appropriate tutoring is available. 

6 http://research.nianet.org/ munoz/PVSio 



<PVSio> examplel'P(O) ; 

==> 



<PVSio> examplel'P(l) ; 
==> 

3/1000 

<PVSio> examplel'P(2) ; 


<PVSio> examplel'P(3) ; 

21/2000000000 

<PVSio> examplel'P(4) ; 



<PVSio> examplel'P(5) ; 
==> 

521/40000000000000000 
<PVSio> examplel'I; 
==> 

(# lb := -1996666003792920908077809559596469417049924988435 
67542489125827927772468257695416279793105352103584647/38763 
49604747870233132233643700469577302245603256513727240130672 
32422339563866364336668581220000000000000000000000000000, 
ub := 1996666003792920908077809559596469417049924988435 
67542489125827927772468257695416279793105352103584647/38763 
49604747870233132233643700469577302245603256513727240130672 
32422339563866364336668581220000000000000000000000000000 #) 



Figure 5. Trace of our toy example of Taylor models 

— Provide a simple tutorial to our library on Taylor models. Readers should be able 
to start validating their own results as soon as they have finished reading this paper. 

— Offer a first easy step to the usage of automatic proof checkers. It is always 
frustrating to spend time on questions than can easily be solved by more or less elaborate 
techniques. As we now provide a PVS library for interval arithmetic and for Taylor models, 
one should be able to answer quickly to most of the easy questions about round-off, 
truncation and modeling errors. Concentrating only on intricate questions is rewarding 
from the academia and ensures financial support from the industry. 

In the future, we will implement more operations on Taylor models like square root, sine, 
cosine, and arctangent. We will also create PVS strategies to hide more and more details of 
Taylor models to users. Our main goal remains to help provide invisible formal methods. 
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